Google Delivers Mac Google Earth API Plugin, But at What Cost?

UPDATE: Google has released a version of Google Earth (including the plugin) without the self-updating feature.

The Mac blogs around the ‘net are all abuzz today about Google’s release of a Mac version of the Google Maps API, but I noticed something funny when I installed it.  The plug-in is a standard Mac Internet Plug-In, meaning you can install it at either /Library/Internet Plug-Ins or ~/Library/Internet Plug-Ins.  So why does the install package prompt you for administrator credentials when you choose to install it into your home folder?  The answer lives at /Library/Google.

It turns out that when you install the plugin, the installer also installs a software update component, code-named “keystone.”  It installs the following components:

  • An application bundle at /Library/Google/GoogleSoftwareUpdate/GoogleSoftwareUpdate.bundle
  • A “Ticket Store” at /Library/Google/GoogleSoftwareUpdate/TicketStore/ — does anyone know what this does?  I sure don’t.
  • A LaunchDaemon that runs as root on demand, at /Library/LaunchDaemons/
  • A LaunchAgent (/Library/LaunchAgents/ that runs when you’re logged in, presumably to fire up the daemon so you can receive updates without administrative privileges.

Interestingly enough, this software component is never mentioned by Google.  It isn’t an option you can deselect in the installer.  Even worse, the plugin’s uninstall instructions don’t say a thing about it.  This means that after you follow the plugin uninstall instructions, your computer is still checking in with Google’s servers to make sure that it’s up-to-date.  I’m reluctant to call this malware, but it sure seems like spyware, doesn’t it?  At the very least the installer ought to mention something.

Be cautious when installing this plugin onto any computer where security is essential.  Any software component that runs as root, such as the updater this installer installs, is another attack vector for intruders trying to get at your data.

For what it’s worth, the API plugin does work if you only copy the stuff in /Library/Internet Plug-Ins to a computer or to your user account, so it appears that you can still use the plugin in a secure environment, you’ll just have to update it yourself and not have Google do it for you.

I’ve also mentioned this on the official Google Group.

New Safari 3.2 Feature: Secure Website Identification

Here’s a quick tip that slipped through the blogosphere (at least none of the Mac blogs I subscribe to featured it): in Safari 3.2, released last week, Apple’s added a feature from Firefox 3’s “awesome bar”: when you’re on a secure website, such as a bank’s, that has identification information, it’s displayed in green (though in Safari it’s at the top-right of the title bar).  A screenshot:


Safari 3.2 adds secure website information to the title bar.
Safari 3.2 adds secure website information to the title bar.

Along with a phishing filter, it looks like Safari is stepping up to the plate as a secure browser.

Use DVD Player in Fullscreen Mode on an External Monitor

By default, DVD player will exit fullscreen mode when it’s not the active application.  This is a problem if you want to watch a movie on an external monitor while working on a primary monitor.  To get around it, go to Preferences in DVD Player (DVD Player -> Preferences… or command + ,), switch to the “Full Screen” tab, and ensure that “Remain in full screen when DVD Player is inactive” is checked.  This should achieve the desired results.

Source: Forums

Prevent Mac OS X Leopard from Prompting You to Start Synergyd Every Time You Use SynergyKM

So here’s an annoyance.  Having just installed SynergyKM, a great front-end for the awesome command-line utility Synergy, launching it would result in the following prompt:

The promt you get when launching SynergyKM
The promt you get when launching SynergyKM

To fix this, you need to remove the extended attribute that’s on the file.  Fire up Terminal and enter the following commands:

sudo xattr -d /Library/PreferencePanes/SynergyKM.prefPane/Contents/Resources/
sudo xattr -d /Library/PreferencePanes/SynergyKM.prefPane/Contents/Resources/

That will remove the flags and prevent the prompt.

Normally, you’d only see this prompt once, but since installing it for all users changes permissions such that your user account can’t remove the attribute, it isn’t removed.

Note: This is assuming that you’ve installed it for all users.  If you’ve installed it for one user, it’ll be in ~/Library, not /Library.

Update: I’ve submitted a patch to SynergyKM’s SourceForge page, so if they accept it this will no longer be an issue.